[netflow-tools] flowd-reader export
nathan at inorb.com
Wed Mar 29 03:15:53 EST 2006
Even when you are lucky enough to have the flags, it not that
helpful: as flags are ORed, you end up for a 'complete' tcp
'session' with both uni-directional flows having at least SAF set -
no way to distinguish the client (in an ip sense) from the server
Or do i minsunderstand you
Okay - here's what I'm doing now as a test and want to see if this will
work as I anticipate. For TCP connections, I'm filtering only those that
are active connections (in my case, I don't care about those that aren't
full fledged connections) using the flags ala:
tcp_flags mask 0x12 equals 0x12
This creates a situation where the true connection source and
destinations are reversed in the log, due to the stage of communications
that these flags are set.
So, when I export them using my perl exporter, I simply invert them once
again to get the true source and destination for my final processing.
Does this work as I anticipate? Would this give me the actual source and
destinations? From what I've seen it does, but there may be exceptions.
Also, you mention, in a later message, that connections separated by
significant time will not be aggregated into a single entry. Any idea
how long this is etc? That becomes important. I have a long and memory
intensive process to remove these duplicates, but if I could have a
timeframe after which duplicate entries are not inserted, then I could
reduce the inefficiency of this process.
More information about the netflow-tools